Who is Participating?

Go to
- IIS Manager
- Right Cilck on the Websites Folder and go to properties
- Go to the home directory tab
- Click Configuration
- Go to Options
- Change the sesson state timeout to something larger

0

Gemini532Author Commented: 2007-11-26

could it be in a local cashe on their computer, by their I mean the users who fill out our form?

This is a 7 page application which gets its data in the database only after all 7 pages have been filled...It treats the whole application as on huge page, and we are loosing data becasuse sometimes the data does not make it to the database... Can you think of any reason why this might happen?

No idea, all depends on your web app. Session variables, postback data, cookie (unlikely due to size limitations), text file on the server?
Could the user be going for a walk between pages and 4 and 5 (for example) and their session times out, they return fill out the remainder of the form and end up only submitting the last bit to the DB as the first lot was lost when the session timed out?

The data could be disappearing because a session is timing out, or because you are saving it in cookies but the user is disallowing cookies, or.... it depends on how the application is preserving the data between pages.

Do you have control over the application coding, or is it a third-party application? If control is in-house, you may want to write all of the data to the DB in a staging table which holds it longer than a session would, and have a hidden field or URL parameter on all of the pages that contains the operational session - that is, some unique identifier you will use to track a user's data entry even when a session has expired. Using this, you could decide that the data remains for 30 minutes since the last submission, or 30 days.

0

Gemini532Author Commented: 2007-11-26

I am using a recordset
ODBC connection like this:
adodb.connection

0

Gemini532Author Commented: 2007-11-26

Hi Chumad, if that was true, wouldnt' it make sense that NO ONE woudl be able to complete the applicatoin, where in our case it is only a small percentage of users and when they switch computers they're usually fine

What about the idea of using session varialbes which expire in 15 min, can we set to to expire when the user closes his browser sesssion, is that done in IIS? or in the CODE through parameters?

we're also using several sotred procedures especially to send out the emails from the application which lets the user know how many departments they have chosen if the email tells them zero, it means that their datad idn't mkae it to the DB because the application forces them to choose at lesat one

0

Gemini532Author Commented: 2007-11-26

Do you have control over the application coding, or is it a third-party application?

I HAVE CONTROL, well the DB people do but they will be willing to work with me if you can only tell me what needs to be done... I myself am not an expert on IIS but I know we are using IIS and I did suspect that that is where the session variables would need to iincrease thier time to the point when the user closes his browser session...is this possilbe, can you tell me how?

0

Gemini532Author Commented: 2007-11-26

Hi bhess1,

>>Do you have control over the application coding, or is it a third-party application? If control is in-house, you may want to write all of the data to the DB in a staging table which holds it longer than a session would, and have a hidden field or URL parameter on all of the pages that contains the operational session - that is, some unique identifier you will use to track a user's data entry even when a session has expired. Using this, you could decide that the data remains for 30 minutes since the last submission, or 30 days.

THIS IS it! THANK YOU! this is what we need. However I do not understand a word of it... can you give me a link to read up on it... anything that coudl help me understand what you mean and most importantly can you tell me is this something done through code or in the IIS?

Each variation of the above requires somewhat different techniques, although there are common points as well. The coding environment on the web server side is as important as the DB, or the browser.

0

Gemini532Author Commented: 2007-11-26

actually bhess1, my brohter is against your idea of leaving the session vairalbes open for a long time because they contain secure information which if hackers were to get at it it coudl open up us to lawsuits

I'm usin ASP(VBScript)

My brohter uses PHP to increase security while programming with session variables and he uses the following function 2 do it:
regenerate_session_id().
Is there an equavalent function in ASP?

you should know that sessions timing out is only where there is no user activity (sending/receiving page/data) with the server.
The session will only time out if there is zero client-server activity for 15 minutes. Do any of your pages take this long to complete?

How about sending chunks (a page at a time) of data to a temp db and then on the last page submit, gather all the data back and insert it into your main table?

unless you are using https or some sort of cusom encryption then you are sending that secure info to/from the server anyhow. A hacker is much more likely to get info over the wire than they are accessing the server itself

As for the session information, it is only available in two areas:
The user's PC
The Website's session repository (DB or ?)

If the hacker has access to these areas, then you're hosed anyway, and they really don't need access to session information. Cookies are more problematic, since using the app from a public terminal could result in unwanted information being available to a stranger.

But in any case, information from a multipage application needs to be maintained *somewhere*. If that somewhere is not where you specify, then you have no control over the security of the data. Who would you trust - you, or a random end user - when it comes to security, hmmm?

If the cookie has no expiry date then it will be gone when the browser is closed (of course this assumes the user closes their browser). That said, cookies have limited capacity when it comes to holding data so 7 pages of form data could push the limits. Personally I'd go with holding the data either in a db or text file and appending to it when each page is submitted.
Put a datetime stamp on the page submits so that you can runa script on the db to clean up old unfinished visits.
Even with all this, when the session is gone it is gone so you are going to need someway ti ID the user if they return to fill out more pages.
If yu are dealing with secure data then I'm guessing they need to do this anyways?

That depends on how you have configured ASP. It can store session data in cookies, in a database, in memory on the server.

You can also write mechanisms to preserve the data in hidden fields on the web pages fed to the user, in the URL data, in a DB, in files on the hard drive, or in dang near any other location you want. But these are coding choices, not automatic functions of ASP

0

Gemini532Author Commented: 2007-11-28

>>You can also write mechanisms to preserve the data in hidden fields on the web pages fed to the user, in the URL data, in a DB, in files on the hard drive, or in dang near any other location you want. But these are coding choices, not automatic functions of ASP

Where does this configuration take place? IIS?

I'm really sorry I know very little about Cookies and I have no access to IIS I have to work on this with someone who does as the application is on a server to which I do not have permissions...

Therefore, a lot of your explanation is very confusing me to, but I'm hoping it will make sense to my co-worker

Usually all the problems come to me, even if they are server problems and I have to come up with a solution before i cap approach the database administrators...

So what you are saying is that for each application on our server we can set the session varibles used by that application on IIS? Increase their time out?

However you are also saying that the session variables will NOT terminate when the browser session ends, but it will ONLY terminate at the end of the timeout set in IIS?

Am I understand this?
I'm sorry to keep asking but this is completely new to me... I have worked with cookies 5 years ago, and it was very simple cookies, however the session variables behave somewhat differently...

Also have you heard for something called Application Varaibles in ASP? Would replacing session variables with application variables be any better?

The code is already written, we want to increase the timeout of the seession variables, but we are afraid to security risks. After all the application is on the Internet, but it has SSL security it's on a https website... How safe is it to incease the timeout for the session variables?

I promise this will be the last question, and once I get my answer, I will print this page and show it the the database administrator... He has acccess to the server and to IIS on the server where the application is located :)

0

Gemini532Author Commented: 2007-11-28

ALSO, thank you for the link bhess1 :)

0

Gemini532Author Commented: 2007-11-28

I just noticed that the configuration is for IIS6, we do not have IIS6, or ASP.NET